b'NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n\n        AUDIT MEMORANDUM: ANALYSIS OF\n      REGION V 5300 CALL REPORT REFERRAL\n\n                  Report #OIG-05-01\n                   January 10, 2005\n\n\n\n\n                William A. DeSarno\n              Acting Inspector General\n\n\n                    Prepared by:\n\n\n\n               Tammy F. Rapp, CPA, CISA\n          Sr. Information Technology Auditor\n\x0cTO:          J. Leonard Skiles\n             Executive Director\n\nFROM:        William A. DeSarno\n             Acting Inspector General\n\nDATE:        January 10, 2005\n\nSUBJECT: OIG Analysis of Call Report Referral\n         Report #OIG-05-01\n\nNCUA\xe2\x80\x99s Region V Director requested that the OIG look into a matter involving a specific\n5300 call report. Specifically, Region V was concerned about 5300 edit checks that\nmay have been overridden by an examiner and whether this might have occurred with\nother call reports. Region V provided us with a report prepared by the Office of\nExamination and Insurance (E&I) regarding this particular call report which stated that\nthe \xe2\x80\x9cexaminer circumvented established controls and uploaded incorrect data.\xe2\x80\x9d\n\nOBJECTIVE\n\nThe objective of our work was to determine whether a preventive control in the 5300 call\nreport upload process was circumvented and if this represents a systemic problem.\n\nSCOPE AND METHODOLOGY\n\nThe scope of our work was limited to an isolated incident of a 5300 call report uploaded\nfor one credit union located in Region V.\n\nWe interviewed the examiner who uploaded the subject call report, as well as staff from\nthe E&I and Office of the Chief Information Officer (OCIO). We reviewed historical\ndocumentation relating to the incident including March and June 2004, 5300 data for\nthis particular credit union. We reviewed the security plan and other documentation\nprepared by E&I and OCIO relating to this incident.\n\nWe also performed limited testing of the 5300EX application. Specifically, we tested\nwhether the data could be modified outside of the application. We did not attempt to\nperform any transmission or uploads of the data to the server. We also did not\ndetermine the accuracy of the data presented in the March or June call reports.\n\n\n\n\n                                           1\n\x0cDue to the limited scope of this project, we did not follow Yellow Book audit standards.\nAccordingly, our suggestions are not covered by NCUA\xe2\x80\x99s Audit Follow-up Instruction\n1910.6.\n                            1\n5300 BACKGROUND\n\nCredit unions deliver the financial data to the examiner using one of several methods\nincluding a paper form physically delivered or faxed, verbal collection over the\ntelephone, on-site collection, or electronic delivery via diskette or internet. Beyond the\ndelivery format, NCUA has no control over the program used by the credit union to\ngenerate the data file. NCUA provides the agency developed 5300 Credit Union\nsoftware program, for credit union use; however, the credit union is not obligated to use\nthe program. The 5300 program provides credit union officials the ability to produce a\nfile containing financial data. Credit unions transmit the file to the examiner either on a\ndiskette or on-line through an NCUA server.\n\nThe examiner has an expanded version of the 5300 installed on the standard NCUA\nnotebook computer. This version allows the examiner to load the data file provided by\nthe credit union. This version also allows the examiner to upload verified data to the\nproduction SQL database.\n\nThe 5300 Call Report software contains edits that either stop the transmission or warn\nthe user of potential erroneous data. Additional edits on the processing server recheck\nthe data integrity upon receipt.\n\nOBSERVATIONS\n\nOur review of historical documentation shows the examiner attempted to upload at least\nfive call reports for one credit union during the June 2004, call report cycle. Our review\nof the documentation and interviews of key staff also indicated that all but two of these\nuploads were rejected by the server. The first call report accepted by the server on July\n25, 2004, appeared to represent March 2004, data with some adjustments. Although\nthe file did not accurately reflect June 2004, data, it was in the correct format and\nappeared reasonable. The last call report accepted by the server on July 30, 2004,\nrepresented the credit union\xe2\x80\x99s June 2004, data.\n\nWe interviewed the examiner and learned that approximately 40 percent of her credit\nunions did not receive their 5300 package for the June 2004, cycle. The examiner\nadvised the credit union that is the subject of this report to use its prior cycle software to\ninput the data and then transmit the file. The examiner attempted to upload this data.\nHowever, the server rejected it since it had the wrong date. The examiner then opened\nthe data file using notepad and changed the month from 03 to 06, saved the file, and\nimported this file into 5300EX. The data file did not have any warnings and passed all\nthe edit checks. However, the server again rejected this file because it was in the short\nformat. The short form is optional only during the March and September cycles for\n1\n    Source: NCUA Call Report System Security Plan, June 2, 2004\n\n\n                                                  2\n\x0ccredit unions with total assets less than $10,000,000. The examiner finally waited for the\ncredit union to receive the June 2004, 5300 package and complete the proper form\nwhich was then transmitted successfully on July 30, 2004.\n\nANALYSIS & CONCLUSION\n\nControls were effective and prevented 5300 data from being accepted by the server that\nwas in an unacceptable format. Although there were multiple attempts to upload 5300\ndata, the server rejected all but two. Although the data was an estimate, the first\nsuccessful upload represented data in the correct format. The second upload that was\naccepted by the server represented actual data in the correct format. In addition to the\nserver rejecting data in an unacceptable format, additional controls notified OCIO that\nthere was a problem with this credit union\xe2\x80\x99s 5300 call report transmission by their\nexaminer.\n\nWe learned that there is a well known back door to modifying data before uploading to\nthe server. Examiners have the ability and sometimes use notepad to open the 5300\nxml file to modify data prior to uploading.\n\nSUGGESTION\n\nThe OIG suggests that E&I consider whether data modified outside of the 5300 program\nposes a material risk to 5300 data integrity. If E&I determines the risk is significant, they\nshould work with OCIO to determine the best solution for preserving data integrity and\npreventing modification outside of the program.\n\n\n\n\nDistribution:\n       Board Chairman, JoAnn M. Johnson\n       Board Member, Deborah Matz\n       Deputy Executive Director, J. Owen Cole, Jr.\n       Director, Office of Examination &Insurance, David M. Marquis\n       Director, Region V, Melinda Love\n       Chief Information Officer, Doug Verner\n\n\n\n\n                                             3\n\x0c'